Security alerts are generated in siloes. Each category (email, network, endpoint, cloud and identity) have a set of tools designed to monitor logs and produce security alerts when a suspicious pattern is seen. However, activities between these different categories are often related. But the detection platforms can’t connect the dots because the systems don’t talk to each other. So, incident responders have the responsibility of searching across tools and databases in order to find related information; then make a decision.
However, the process of finding this relevant information is time-consuming, monotonous, and error-prone. Every incident responder faces this issue. With an overwhelming amount of alerts generated everyday, it’s easy to get overwhelmed. However the risk of not doing this work is to miss a related activity and misclassifying something as a false positive or contained.
Across use cases, users gain the most consistent value when SOAR playbooks are used to automatically consolidate relevant, contextual information and display it in a way that helps analysts make better decisions.
For example, here is an alert created by CrowdStrike when a task was executed that may indicate malware on a device.
This alert tells us the event time, the hostname, the parent process, and the username. However, what it doesn’t tell us is where that file came from that triggered the process if the user’s account has been compromised, and if the machine is communicating with any suspicious devices outside of the network.
This is where SOAR playbooks come in. When an incident is raised a series of…